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1 m A method of generating a common secret between a first party and a second 

party, in which the first party holds a value pi and a symmetrical polynomial P(x,y) fixed in 
the first argument by the value pi, and the first party performs the steps of sending the value 
pi to the second party, receiving a value p 2 from the second party and calculating the 
5 common secret Si by evaluating the polynomial P(pi, y) in p 2 , characterized in that the first 
party additionally holds a value qi and a symmetrical polynomial Q(x, z) fixed in the first 
argument by the value qi, and further performs the steps of sending qi to the second party, 
receiving a value q 2 from the second party and calculating the secret Si as 
Si=Q(qi, q 2 ) P(Pi, P2). 
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2. The method of claim 1, in which the first party further performs the steps of 

obtaining a random number r u calculating r r qi, sending r r qi to the second party, receiving 
r 2 q 2 from the second party and calculating the secret Si as Si=Q(qi, r r r 2 q 2 ) P(pi, p 2 ). 

15 2. The method of claim 2, in which the first party holds the value qi multiplied 

by an arbitrarily chosen value r, and the product Q(qi, z)P(pi, y) instead of the individual 
polynomials P(pi, y) and Q(qi, z), and the first party performs the steps of calculating r r r q u 
sending rpr qi to the second party, receiving r 2 r q 2 from the second party and calculating the 
secret Si as Si=Q(qi, r r r 2 r q 2 ) P(pi, p 2 ). 
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4. The method of claim 1, in which the second party holds a value p 2 and a value 
q 2 , the symmetrical polynomial P(x, y) fixed in the first argument by the value p 2 , the 
symmetrical polynomial Q(x, z) fixed in the first argument by the value q 2 , and the second 
party performs the steps of sending q 2 to the first party, receiving q, from the first party and 

25 calculating a secret S 2 as S 2 =Q(q 2 , qi>P(p 2 , Pi), whereby the common secret has been 
generated if the secret S 2 equals the secret Si. 

5. The method of claim 1 , in which a trusted third party performs the steps of 
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choosing a symmetric (n+1) x (n+1) matrix T, constructing the polynomial P using entries 
from the matrix T as respective coefficients of the polynomial P, constructing the polynomial 
Q(x, y), choosing the value pi, the value p 2 , the value qi and the value q 2 , sending the value 
pi, the value qi, the polynomial P(x, y) fixed in the first argument by the value pi and the 
5 polynomial Q(x, z) fixed in the first argument by the value qi to the first party, and sending 
the value p 2> the value q 2 , the polynomial P(x, y) fixed in the first argument by the value p 2 
and the polynomial Q(x, z) fixed in the first argument by the value q 2 to the second party 

6. The method of claim 5, in which the trusted third party further arbitrarily 

10 chooses a value r, sends the value pqi instead of the value qi and the product Q(qi, z)P(pi, y) 
instead of the individual polynomials P(pi, y) and Q(qi, z) to the first party and sends the 
value r q 2 instead of the value q 2 and the product Q(q 2 , z)P(p 2 , y) instead of the individual 
polynomials P(p 2 , y) and Q(q 2 , z) to the second party. 

15 7 . The method of claim 5, in which the trusted third party further performs the 

steps of 

choosing a set comprising m values p*, including the values pi and p 2 , 
calculating a space A from the tensor products ® p V j of the Vandermonde 

vectors p? built from the set of values pi, 
20 choosing a vector y x and a vector y 2 from the perpendicular space A 1 of the 

space A, constructing a matrix T r = T+Tj from the vector y x and a matrix T r2 = T+r 2 from 

the vector y 2 , constructing a polynomial P r * (x, y) using entries from the matrix T r and 

sending the polynomial P r » (x, y) fixed in the first argument by the value pi to the first party, 
and 

25 constructing a polynomial P r 2 (x, y) using entries from the matrix Tp 2 and 

sending the polynomial P r 2 (x, y) fixed in the first argument by the value p 2 to the second 
party. 
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8. The method of claim 5, in which a number m ' of values pi, and m ' < m 9 are 

distributed to additional parties. 
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9. The method of claim 1 , in which the first party and the second party use a non- 
linear function on the generated secret SI and S2, respectively, before using it as a secret key 
in further communications. 
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10. The method of claim 9 in which a one-way hash function is applied to the 
generated secrets SI and S2. 

1 1 . The method of claim 9 in which a non-linear function in the form of a 
10 polynomial is applied to the generated secrets SI and S2. 

1 2. The method of claim 1 , further comprising the step of verifying that the 
second party knows the secret S\. 

15 13. The method of claim 12, in which the first party subsequently applies a zero- 

knowledge protocol to verify that the second party knows the secret S\. 

14. The method of claim 12, in which the first party subsequently applies a 
commitment-based protocol to verify that the second party knows the secret Si. 
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1 5 . The method of claim 1 4, in which the second party uses a symmetric cipher to 
encrypt a random challenge, and sends the encrypted random challenge to the first party and 
the first party subsequently uses the same symmetric cipher as a commit function to commit 
himself to a decryption of the encrypted random challenge. 
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1 6. A system (100) comprising a first party (P), a second party (V) and a trusted 
third party (TTP), arranged to execute the method of any of the claims above. 

17. A device (P) arranged to operate as the first party and/or as the second party in 
30 the system of claim 16. 

1 8. The device of claim 17, comprising storage means (303) for storing the 
polynomial P and the polynomial Q in the form of their respective coefficients. 
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19. A computer program product for causing one or more processors to execute 

the method of any of the claims 1-15 above. 



